The following guidance, by no means, attempts to provide every detail – rather a light touch view, using examples. The reader is encouraged to acquire a deeper understanding and to seek the proper data protection guidance for his or her own processing scenarios. A full read-through of this article is recommended.
Organisational differentiation in the public and in the private sector, the development of ICT as well as the globalisation of data processing, have increased complexity in the way personal data are processed. The concept of controller and its interaction with the concept of processor play a crucial role in the application of the GDPR, since they determine who shall be responsible and how they shall be responsible for compliance with data protection rules as well as how data subjects can exercise their rights.
According to the GDPR, ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. and;
‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Controller vs Processor
When it comes to assessing the determination of the purposes and the means with a view to attribute the role of ‘controller’, the crucial question is therefore to which level of details somebody should determine ‘purposes and means’ in order to be considered as a controller. The emphasis to be put on ‘purposes’ or ‘means’ may vary depending on the specific context in which the processing takes place.
With regards ‘purposes’, the question is ‘why’ the processing is happening and what is the role of possible connected actors like outsourcing companies. ‘Means’ does not only refer to the technical ways of processing personal data, but also to the ‘how’ of processing, which includes questions like ‘which data shall be processed’, ‘which third parties shall have access to this data’, ‘when data shall data be deleted’.
It is well possible that the technical and organisational means are determined exclusively by the processor. In these cases – where there is a good definition of purposes, but little or even no guidance on technical and organisational means – the means should represent a reasonable way of achieving the purpose(s) and the controller should be fully informed about the means used.
Two basic conditions for qualifying as processor are, on the one hand being a separate legal entity with respect to the controller and on the other hand, processing personal data on the controller’s behalf.
Example – outsourced company is a processor
Company ABC enters into contracts with different organisations to carry out its mail marketing campaigns and to run its payroll. It gives clear instructions (what marketing material to send out and to whom, and who to pay, what amounts, by what date etc). Even though the organisations have some discretion (including what software to use) their tasks are pretty clearly and tightly defined and though the mailing house may offer advice (e.g. advising against sending mailings in August) they are clearly bound to act as ABC instructs. Moreover, only one entity, the Company ABC, is entitled to use the data which are processed – all the other entities have to rely on the legal basis of Company ABC if their legal ability to process the data is questioned. In this case it is clear that the company ABC is the controller and each of the separate organisations can be considered as a processor regarding the specific processing of data carried out on its behalf.
Although there could have been a tendency to generally identify outsourcing as the task of a processor, nowadays situations and assessments are often much more complex.
Example – Accountants
The qualification of accountants can vary depending on the context. Where accountants provide services to the general public and small traders on the basis of very general instructions (”Prepare my tax returns”), then - as with solicitors acting in similar circumstances and for similar reasons - the accountant will be a data controller.
However, where an accountant is employed by a firm, and subject to detailed instructions from the in-house accountant, perhaps to carry out a detailed audit, then in general, if not a regular employee, he will be a processor, because of the clarity of the instructions and the consequent limited scope for discretion. However, this is subject to one major caveat, namely that where they consider that they have detected malpractice which they are obliged to report, then, because of the professional obligations they owe they are acting independently as a controller.
Example – company referred to as processor, but acting as controller
Company MarketinZ provides services of promotional advertisement and direct marketing to various companies. Company GoodProductZ concludes a contract with MarketinZ, according to which the latter company provides commercial advertising for GoodProductZ customers and is referred to as ‘processor’. However, MarketinZ decides to use GoodProducts customer database also for the purpose of promoting products of other customers. This decision to add an additional purpose to the one for which the personal data were transferred converts MarketinZ into a controller for this processing operation.
Note: in many cases, service providers specialized in certain processing of data (for example, payment of salaries) will set up standard services and contracts to be signed by controllers, de facto setting a certain standard manner of processing personal data. The imbalance in the contractual power of a small controller with respect to big service providers should not be considered as a justification for the controller to accept clauses and terms of contracts which are not in compliance with data protection law.
Let’s consider from the definition of controller, ‘alone or jointly with others’.
The likelihood of multiple actors involved in processing personal data is naturally linked to the multiple kinds of activities that, according to the GDPR, may amount to ‘processing’, which is at the end of the day, the object of the ‘joint control’. In assessing joint control, a substantive and functional approach should be taken, focusing on whether the purposes and means are determined by more than one party. However, in the context of joint control the participation of the parties to the joint determination may take different forms and does not need to be equally shared.
The mere fact that different parties cooperate in processing personal data, for example in a chain, does not entail that they are joint controllers in all cases, since an exchange of data between two parties without sharing purposes or means in a common set of operations should be considered only as a transfer of data between separate controllers.
Example – Travel Agency (1)
A travel agency sends personal data of its customers to the airlines and a chain of hotels, with a view to making reservations for a travel package. The airline and the hotel confirm the availability of the seats and rooms requested. The travel agency issues the travel documents and vouchers for its customers. In this case, the travel agency, the airline and the hotel will be three different controllers, each subject to the data protection obligations relating to its own processing of personal data.
However, the assessment may change when different actors would decide to set up a shared infrastructure to pursue their own individual purposes.
Example – Travel Agency (2)
The travel agency, the hotel chain and the airline decide to set up an internet-based common platform in order to improve their cooperation with regard to travel reservation management. They agree on important elements of the means to be used, such as which data will be stored, how reservations will be allocated and confirmed, and who can have access to the information stored. Furthermore, they decide to share the data of their customers in order to carry out integrated marketing actions. In this case, the travel agency, the airline and the hotel chain, will have joint control on how personal data of their respective customers are processed and will therefore be joint controllers with regard to the processing operations relating to the common internet-based booking platform. However, each of them would still retain sole control with regard to other processing activities, e.g. those relating to the management of their human resources.
In some cases, various actors process the same personal data in a sequence. In these cases, it is likely that at micro-level the different processing operations of the chain appear as disconnected, as each of them may have a different purpose. However, it is necessary to double check whether at macro-level these processing operations should not be considered as a ‘set of operations’ pursuing a joint purpose or using jointly defined means.
Example 1 – Transfer of employee data to tax authorities
Company XYZ collects and processes personal data of its employees with the purpose of managing salaries, missions, health insurances, etc. However, a law also imposes an obligation on the company to send all data concerning salaries to the tax authorities, with a view to reinforce fiscal control. In this case, even though both company XYZ and the tax authorities process the same data concerning salaries, the lack of shared purpose or means with regard to this data processing will result in qualifying the two entities as two separate controllers.
Example 2 - Financial transactions
Instead, let's take the case of a bank, which uses a financial messages carrier in order to carry out its financial transactions. Both the bank and the carrier agree about the means of the processing of financial data. The processing of personal data concerning financial transactions is carried out at a first stage by the financial institution and only at a later stage by the financial messages carrier. However, even if at micro level each of these subjects pursues its own purpose, at macro level the different phases and purposes and means of the processing are closely linked. In this case, both the bank and the message carrier can be considered as joint controllers.
The need to clarify distribution of control
The bottom line should be to ensure that, even in complex data processing environments, where different controllers play a role in processing personal data, compliance with data protection rules and responsibilities for possible breach of these rules are clearly allocated. It is important that a clear information notice is given to the data subjects, explaining the various stages and actors of the processing. Moreover, it should be made clear if every controller is competent to comply with all data subject's rights or which controller is competent for which right.
The content herein is provided for your convenience and does not constitute legal advice.
Compliance Technology Solutions B.V. 2018